HMAC Generator
Compute HMAC-SHA256, SHA-1, or SHA-512 signatures from a message and secret key.
Enter both a message and a secret key to compute the HMAC.
About the HMAC Generator
An HMAC is a signature over a message, computed with a shared secret key. Unlike a plain hash, which anyone can compute, an HMAC can only be produced and verified by someone holding the key. That is what makes it the standard way to prove a message is authentic and unmodified: webhook signatures, API request signing, and session token integrity all use HMAC.
This tool computes HMAC-SHA256 (the modern default), HMAC-SHA1 (still used by older systems and TOTP), and HMAC-SHA512, showing the result in both hex and base64, since different systems expect different encodings.
The most common use: verifying you implemented webhook signature checking correctly. Take the raw body of a captured webhook, the signing secret from the provider dashboard, and compare the HMAC computed here against the signature header they sent. Keys and messages never leave your browser; signing runs on the Web Crypto API.
Reach developers and designers who use these tools every day. Privacy-first, no trackers.
Frequently asked questions
What is the difference between a hash and an HMAC?
A hash proves integrity (the data was not changed), but anyone can compute it. An HMAC proves integrity and authenticity, because computing it requires the secret key. Use HMAC whenever you need to know who produced the value.
Hex or base64, which do I need?
Whatever the system you are matching expects. Stripe and GitHub webhook signatures are hex. AWS request signing uses hex. Many JWT libraries and HTTP APIs use base64. Both encode the same bytes.
Is HMAC-SHA1 still safe?
For HMAC, yes. The collision attacks that broke SHA-1 for certificates do not apply to its use inside HMAC. New designs should still pick HMAC-SHA256, but verifying an existing HMAC-SHA1 integration is fine.